INEt Zero JNCIE Workbook
Content
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
1
1 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
iNET ZERO – JNCIE-ENT
Lab preparation workbook v1.0
For Juniper Networks ® - JNCIE-ENT Lab exam
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
2
2 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Copyright information
This workbook, iNET ZERO's JNCIE-ENT Lab Preparation Workbook, was developed by iNET ZERO.
All rights reserved. No part of this publication may be reproduced or distributed in any form or by
any means without the prior written permission of iNET ZERO.
This product cannot be used by or transferred to any other person. You are not allowed to rent,
lease, loan or sell iNET ZERO training products including this workbook.
You are not allowed to modify, copy, upload, email or distribute this workbook in any way. This
product may only be used and printed for your own personal use and may not be used in any
commercial way.
Juniper (c), Juniper Networks (c), JNCIE, JNCIP, JNCIS, JNCIA, Juniper Networks Certified Internet
Expert, are registered trademarks of Juniper Networks, Inc.
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
3
3 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
About iNET ZERO’s content developers and authors:
Maxim Frolov
Maxim lives in Russia and speaks Russian and English. He started his networking career in 1999. Throughout the years Maxim
has designed and implemented several large scale networks for enterprise and service provider customers. Over the years he
has developed several high quality courseware materials for industry leading networking vendors. Maxim has the following
certifications: J NCIE, J NCIP-ENT, J NCIS-SEC, Nortel NNCSS and is a certified J uniper Networks Instructor. For technology
Max values efficiency and pragmatic design. When Max is not at work he likes to spend time with his family. Max enjoys being
outside in the nature and loves to travel and exploring the world.
Jörg Buesink
J örg lives in the Netherlands near Amsterdam and brings more than 10 years of experience in the IT
and networking industry. He has worked for several large ISPs / service providers in the role of
technical consultant, designer and network architect. He has extensive experience in network
implementation, design and architecture and teached several networking classes. J örg is triple J NCIE
certified (J NCIE-ENT#21, J NCIE-SP#284 and J NCIE-SEC#30) as well as triple CCIE#10532 (Routing/
Switching, Service provider and Security) and Cisco CCDE#20110002 certified.
Alan Gravett
Originally from South Africa, Alan spent a long time away from his country of birth, travelling
extensively and learning about different peoples and cultures. Alan’s experience in the IT industry
started more than 30 years ago, but had a necessary break for a few years in between. He was also
the first South African to be employed by J uniper Networks, which after working at the biggest ISP on
the planet at the time UUNET provided the opportunity to really see and understand how the biggest
networks on the planet are designed. As an early starter at J uniper, he has had the opportunity to
become both J NCIE-SP #24 as well as J NCIE-ENT #9. During his career at J uniper Networks Alan
has had the pleasure of sharing much of this knowledge with hundreds of students and also to verify
their understanding as the primary EMEA based Certification proctor for the J UNOS Professional and
Expert Lab exams. Alan’s first language is English, but is also fluent in Dutch.
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
4
4 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Alexey Kolmov
Alexei lives in Moscow and speaks Russian and English. He started his carrier in telecommunication
area in 1995 as a technician in S.W.I.F.T. Access Point. Since that time he gained experience as a
field, technical support and systems engineer, project manager, technical writer and instructor. He had
taken part in many projects for corporate clients and service providers, participated in the creation of
networks based on X.25, Frame Relay, ATM, PDH/SDH, TCP/IP and VoIP technologies, learned and
implemented solutions from Motorola, Nortel Networks, Tellabs and Acme Packet.
Since 2006 Alexei has been working with J uniper Networks technologies and products, focusing
primarily on security solutions. Alexei becomes energized and determined to stimulate people to
move, grow and develop to higher levels of personal effectiveness. Alexei is a certified J uniper
Networks Instructor and holds the following certification: J NCIP-M/T, J NCIP-SEC, J NCIS-FW, J NCIS-
SSL, J NCIA-EX, J NCI and Acme Packet Certified Instructor
Richard Pracko
Richard Pracko comes from the heart of the Europe, from a small but beautiful country Slovakia. Right
after finishing his studies at the university with telecommunications as a major, he joined the Siemens
Networking department, and focused on the integration of J uniper Networks and Siemens products.
There, he gathered a lot of experience and skills in the networking area by taking an active part to
numerous projects, and this , all over the world. It was during that time that his teaching career started.
In the beginning of 2009, he left Siemens on his own initiative, and became a full time instructor and
technical consultant, over a vast geographic area (EMEA and more).
Richard is an energetic young man, with interests ranging across numerous sport disciplines like
tennis, soccer, skiing and others. Richard speaks English, German, Czech and Slovak. Richard is a
certified J uniper Networks Instructor and holds the following certifications: J NCIS-FWV, J NCIP-SEC,
J NCIS-ENT, J NCIA-EX, J NCI.
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
5
5 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Rack rental service
Did you know that this workbook can be used in combination with our premium J NCIE rack rental
service? Take a look on our website for more information www.inetzero.com
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
T
a
b
l
e
o
f
C
o
n
t
e
n
t
s
6
6 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Table of Contents
Chapter One: General System Features
Task 1: Initial System Configuration
Task 2: User Authentication and Authorization
Task 3: Syslog Configuration
Task 4: SNMP Configuration
Task 5: Firewall Filters
Chapter Two: L2 Switching
Task 1: L2 Switching Network Deployment
Task 2: Virtual Chassis
Task 3: VLAN Configuration
Task 4: MSTP Configuration
Task 5: VRRP Configuration
Task 6: L2 Switching Security Features
Chapter Three: IGP Routing
Task 1: IPv4 Network Deployment
Task 2: OSPF Configuration
Task 3: RIP Configuration and Redistribution Policies
Task 4: Protocol-independent Routing and Routing Policies
Task 5: IPv6 Network Deployment
Task 6: IPv6 IGP Routing
Chapter Four: BGP Routing
Task 1: Base Network Deployment
Task 2: BGP Configuration
Task 3: IPv4 BGP Routing Policies
Task 4: IPv6 BGP Routing Policies
Chapter Five: Multicast Routing
Task 1: Base Network Deployment
Task 2: Multicast Configuration
Task 3: Multicast Verification
Chapter Six: Class of Service
Task 1: Base Network Deployment
Task 2: SRX Forwarding Classes, Queues, and Schedulers
Task 3: EX Forwarding Classes, Queues, and Schedulers
Task 4: Network Edge CoS Configuration
Task 5: Network Core CoS Configuration
Task 6: CoS Verification
Chapter Seven: A Full Day Lab Challenge
Task 1: Initial System Configuration
Task 2: Building the Network
Task 3: L2 Switching Configuration
Task 4: IGP Configuration
Task 5: BGP Configuration
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
T
a
b
l
e
o
f
C
o
n
t
e
n
t
s
7
7 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Task 6: Multicast Configuration
Task 7: Class of Service Configuration
Appendix - Chapter One: General System Features
Solution - Task 1: Initial System Configuration
Solution - Task 2: User Authentication and Authorization
Solution - Task 3: Syslog Configuration
Solution - Task 4: SNMP Configuration
Solution - Task 5: Firewall Filters
Appendix - Chapter Two: L2 Switching
Solution - Task 1: L2 Switching Network Deployment
Solution - Task 2: Virtual Chassis
Solution - Task 3: VLAN Configuration
Solution - Task 4: MSTP Configuration
Solution - Task 5: VRRP Configuration
Solution - Task 6: L2 Switching Security Features
Appendix - Chapter Three: IGP Routing
Solution - Task 1: IPv4 Network Deployment
Solution - Task 2: OSPF Configuration
Solution - Task 3: RIP Configuration and Redistribution Policies
Solution - Task 4: Protocol-independent Routing and Routing Policies
Solution - Task 5: IPv6 Network Deployment
Solution - Task 6: IPv6 IGP Routing
Appendix - Chapter Four: BGP Routing
Solution - Task 1: Base Network Deployment
Solution - Task 2: BGP Configuration
Solution - Task 3: IPv4 BGP Routing Policies
Solution - Task 4: IPv6 BGP Routing Policies
Appendix - Chapter Five: Multicast Routing
Solution - Task 1: Base Network Deployment
Solution - Task 2: Multicast Configuration
Solution - Task 3: Multicast Verification
Appendix - Chapter Six: Class of Service
Solution - Task 1: Base Network Deployment
Solution - Task 2: SRX Forwarding Classes, Queues, and Schedulers
Solution - Task 3: EX Forwarding Classes, Queues, and Schedulers
Solution - Task 4: Network Edge CoS Configuration
Solution - Task 5: Network Core CoS Configuration
Solution - Task 6: CoS Verification
Appendix - Chapter Seven: A Full Day Lab Challenge
The D1 configuration listing.
The D2 configuration listing.
The D3 configuration listing.
The D4 configuration listing.
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
T
a
b
l
e
o
f
C
o
n
t
e
n
t
s
8
8 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
The D5 configuration listing.
The D6 configuration listing.
The D7 configuration listing.
The D8 configuration listing.
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
C
h
a
p
t
e
r
O
n
e
:
G
e
n
e
r
a
l
S
y
s
t
e
m
F
e
a
t
u
r
e
s
9
9 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Chapter One: General System Features
TIP: Throughout the workbook before you begin a chapter, we recommend you to read the entire
chapter before starting with the first task.
This chapter will focus on initial system configuration and general system features. You will configure
various features, such as host name, root password, management network access, management user
authentication and authorization, NTP, SNMP, Syslog and RE protection Firewall Filters. You will be
operating 8 devices D1 through D8 referred to as your devices. Topology for chapter one is shown in
Figure 1.
Figure 1
Task 1: Initial System Configuration
In this part you will configure your devices’ host names, root passwords, the OoB management
interfaces including definition of specific services allowed to access the devices, static routing and
DNS.
1) Download the latest initial configurations from our website http://www.inetzero.com in the
download section and load them on your devices. Use root password root123 in every
device.
2) Using user name lab and password lab123 log in to the VR-device and load override the
Chapter 1 baseline configuration.
NOTE: You are not allowed to change any of the VR-device settings except that are loaded in the
baseline file throughout all chapter tasks.
3) Configure host names in the devices according to Table 1.
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
C
h
a
p
t
e
r
O
n
e
:
G
e
n
e
r
a
l
S
y
s
t
e
m
F
e
a
t
u
r
e
s
1
0
10 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Table 1
Device Device Type Host Name
D1 SRX 240 Mercury
D2 SRX 240 Venus
D3 SRX 240 Earth
D4 SRX 240 Mars
D5 EX 4200 Jupiter
D6 EX 4200 Saturn
D7 EX 4200 Uranus
D8 EX 4200 Neptune
4) Configure the OoB management interfaces in each device with the appropriate IP addresses.
The devices and their respective IP addresses are listed in Table 2.
Table 2
Device OoB Interface Name OoB Interface IP
Address
D1 ge-0/0/0 10.10.1.1/24
D2 ge-0/0/0 10.10.1.2/24
D3 ge-0/0/0 10.10.1.3/24
D4 ge-0/0/0 10.10.1.4/24
D5 me0 10.10.1.11/24
D6 me0 10.10.1.12/24
D7 me0 10.10.1.13/24
D8 me0 10.10.1.14/24
5) Enable each device to accept management connections for the SSH, Telnet, HTTP, and HTTPS
services. Make system to use automatically generated X.509 certificate for HTTPS. Make sure
all devices accept HTTP and HTTPS management access only on the OoB management ports.
6) Configure static route to the management network 10.10.10/24 with the next-hop
10.10.1.254. Make sure the network is never redistributed to any dynamic routing protocol.
Ensure the device is reachable while RPD is not running.
7) Configure the S1 server as the DNS server.
8) Set the time zone to Europe/Amsterdam on all your devices.
9) Ensure that all your devices synchronize their time with the NTP server S1. Configure the
devices to synchronize time with the S1 at boot time. Ensure that all the NTP exchanges are
authenticated using MD5 with password workbook.
NOTE: The lab uses a dedicated VR-device to emulate external systems interacting with your domain.
The device is reachable at 10.10.1.9 IP address.
NOTE: Server S1 is the dedicated FTP/SNMP/Syslog/RADIUS/DNS proxy server. The server is reachable
at 10.10.10.1 IP address.
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
C
h
a
p
t
e
r
O
n
e
:
G
e
n
e
r
a
l
S
y
s
t
e
m
F
e
a
t
u
r
e
s
1
1
11 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
...
...
DEMO
...
...
Task : User Authentication and Authorization
In this part you will configure new users allowed to access the devices and define their privileges and
permissions.
1) Configure the authentication method that first tries authenticate users on RADIUS server and
then if not successful with local password. Use S2 as the RADIUS server. Configure the
RADIUS server with retry attempts 1 and timeout 2 seconds. Use workbook as the RADIUS
shared secret.
2) Create on every device a new user lab, with the password lab123, that will have super user
privileges.
3) Configure additional users on all the devices as defined in Table 3. Note that word “any” in
the Table 3 is used literally, i.e. a user can have any user name.
TIP: From this point on we recommend you to operate routers using user lab account.
Table 3
Username Password Privileges
Any - Permissions “view” and “view-configuration”. Authenticated on
the RADIUS server S2
Support noc123 Permissions “all”. Additionally cannot execute any of the “clear”,
“configure”, “edit” or “start shell” commands
...
...
DEMO
...
...
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
C
h
a
p
t
e
r
O
n
e
:
G
e
n
e
r
a
l
S
y
s
t
e
m
F
e
a
t
u
r
e
s
1
2
12 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Task 3: Syslog Configuration
Ensure that all the devices have following Syslog configuration:
5) All “emergency” messages regardless of facility are displayed on terminals of all currently
logged users.
6) All messages regardless of facility with the severity level of “info” and higher are sent to the
default syslog file.
7) A file named “interactive-commands” for command audit tracking receives records about the
users and commands they execute.
8) A separate file named “authorization-file” is used for authorization messages with the
severity “info” and higher.
9) All messages with severity level “warning” and higher regardless of facility are sent to the S1
syslog server. Additionally use explicit priority tag and prefix message “JNCIE-ENT”.
The archive size is set to 3 files with 100K size each.
...
...
DEMO
...
...
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
C
h
a
p
t
e
r
T
w
o
:
L
2
S
w
i
t
c
h
i
n
g
1
3
13 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Chapter Two: L2 Switching
This chapter focus is on L2 switching applications. In this tasks you will be configuring and monitoring
L2 features such as Aggregated Ethernet links, VLANs and PVLANs, VLAN routing interface, VRRP,
Virtual chassis, LLDP, Voice VLAN as well as security features 802.1X, MAC RADIUS, Storm control and
MAC address limiting.
The summarized view of the L2 network that you are going to build is shown in Figure 2.
Figure 2
...
...
DEMO
...
...
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
C
h
a
p
t
e
r
T
w
o
:
L
2
S
w
i
t
c
h
i
n
g
1
4
14 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Task 2: Virtual Chassis
1) Set D7 and D8 to have them merged into a Virtual Chassis. Ensure that both backplane VCP
ports are used to connect the VC members. Ensure that D7 becomes a master RE with
member ID 0 and holds the mastership when it is operational.
NOTE: The VCP ports are already physically connected.
2) Restore the VC non-master member interfaces configuration appropriately.
3) Configure the vme.0 VC management interface with the IP address set to the master RE OoB
management interface IP address.
...
...
DEMO
...
...
Task 4: MSTP Configuration
In this task you will configure MSTP protocol to provide traffic load balancing across multiple VLANs.
1) Configure a single MSTP region with two MSTP instances: Instance 1 and Instance 2. Instance
1 must be bound to VLAN A, Instance 2 must be bound to VLANs B and C. Ensure that the
Instance 1 Spanning tree is rooted at D5 and the Instance 2 Spanning tree is rooted at D6.
Ensure that CIST root is at D1.
...
...
DEMO
...
...
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
C
h
a
p
t
e
r
F
o
u
r
:
B
G
P
R
o
u
t
i
n
g
1
5
15 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Chapter Four: BGP Routing
This chapter focuses on BGP routing. You will configure both IPv4 and IPv6 multi AS BGP network, set
up policy based traffic engineering, route redistribution, configure Aggregate routes and BGP over
GRE tunnels.
The summarized view of the BGP network that you are going to build is shown in Figure 6.
Figure 3
...
...
DEMO
...
...
Task 3: IPv4 BGP Routing Policies
In this task you are configuring BGP routing policies to control traffic flows among your Autonomous
systems and the Internet.
NOTE: You are not allowed to use static routes in this task.
1) Configure D7 and D8 to advertise RIP routes to iBGP peers. Configure D7 and D8 to advertise
the BGP default route to RIP. Make sure that D7 and D8 use optimal routing to the Internet
destinations.
2) Configure D3 and D4 to advertise a tightest possible summary route representing all your
Autonomous Systems internal prefixes including the RIP prefixes to the Internet. No other
prefixes are allowed to be advertised at D3 to the Internet.
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
C
h
a
p
t
e
r
F
o
u
r
:
B
G
P
R
o
u
t
i
n
g
1
6
16 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
...
...
DEMO
...
...
http://www.inetzero.com - Copyright 2012 iNET ZERO. All rights reserved
J
N
C
I
E
-
E
N
T
w
o
r
k
b
o
o
k
:
C
h
a
p
t
e
r
F
i
v
e
:
M
u
l
t
i
c
a
s
t
R
o
u
t
i
n
g
1
7
17 iNET ZERO – JNCIE-ENT Lab preparation workbook version 1.0
Chapter Five: Multicast Routing
In this chapter you will configuring and monitoring Multicast network applications such as: PIM
sparse mode multicast distribution for both ASM and SSM models, IGMPv2 and IGMPv3, PIM
Bootstrap protocol, MSDP protocol and Anycast RP, and Multicast Scoping.
The summarized view of the Multicast enabled network that you are going to build is shown in Figure
8.
Figure 4
...
...
DEMO
...
...
